CVE-2025-11059: xml2rfc is vulnerable to arbitrary file reads through prepped files
(updated )
When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.
References
- github.com/advisories/GHSA-9mv7-3c64-mmqw
- github.com/ietf-tools/xml2rfc
- github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0
- github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2
- github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw
- nvd.nist.gov/vuln/detail/CVE-2025-11059
Code Behaviors & Features
Detect and mitigate CVE-2025-11059 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →